Creating A Layer 3/4 Class Map For Management Traffic - Cisco PIX 500 Series Configuration Manual

Chapter 21 Using Modular Policy Framework

Creating a Layer 3/4 Class Map for Management Traffic

For management traffic to the security appliance, you might want to perform actions specific to this kind
of traffic. You can specify a management class map that can match an access list or TCP or UDP ports.
The types of actions available for a management class map in the policy map are specialized for
management traffic. Namely, this type of class map lets you inspect RADIUS accounting traffic and set
connection limits.
To create a class map for management traffic to the security appliance, perform the following steps:
Create a class map by entering the following command:
Step 1
hostname(config)# class-map type management class_map_name
hostname(config-cmap)#
Where class_map_name is a string up to 40 characters in length. The name "class-default" is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map. The CLI enters class-map configuration mode.
Step 2 (Optional) Add a description to the class map by entering the following command:
hostname(config-cmap)# description string
Define the traffic to include in the class by matching one of the following characteristics. You can
Step 3
include only one match command in the class map.
•
•
Tip
OL-12172-03
Access list—The class map matches traffic specified by an extended access list. If the security
appliance is operating in transparent firewall mode, you can use an EtherType access list.
hostname(config-cmap)# match access-list access_list_name
For more information about creating access lists, see the
on page 16-5 or the "Adding an EtherType Access List" section on page
For information about creating access lists with NAT, see the
When You Use NAT" section on page
TCP or UDP destination ports—The class map matches a single port or a contiguous range of ports.
hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num }
For applications that use multiple, non-contiguous ports, use the match access-list command
and define an ACE to match each port.
For a list of ports you can specify, see the
For example, enter the following command to match TCP packets on port 80 (HTTP):
hostname(config-cmap)# match tcp eq 80
Identifying Traffic Using a Layer 3/4 Class Map
"Adding an Extended Access List" section
"IP Addresses Used for Access Lists
16-3.
"TCP and UDP Ports" section on page
Cisco Security Appliance Command Line Configuration Guide
16-8.
D-11.
21-5